How to remove a (alternative) domain from a Lets Encrypt (SAN) certificate using certbot

Written by - 0 comments

Published on - Listed in Security TLS Internet

Let's Encrypt certificates allow the creation of SAN (Subject Alternative Names) certificates, which contain multiple domain names or sub domains:

root@linux ~ # certbot -n certonly --expand --webroot -w /var/www/letsencrypt -d -d -d -d

The certificate can then be listed using certbot certificates:

root@linux ~ # certbot certificates
Found the following certs:
  Certificate Name:

    Expiry Date: 2022-01-21 16:00:45+00:00 (VALID: 4 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Note: the certificate name (identifier) is usually the first domain in the list.

The automatic renewal process (certbot renew) is applied for all domains in that certificate. But if one of the domains in the list fails, the renewal doesn't work:

2022-01-17 07:21:30,723:WARNING:certbot.renewal:Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: "\n\n\n<!DOCTYPE html>\n<html>\n    <head>\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\">\n    <meta http-equi". Skipping.

In this particular situation, the sub domain had a DNS change and now points to a different IP. Therefore the Let's Encrypt ACME bot was unable to verify the domain - leading to a renewal error for the whole certificate.

To remove a (sub-) domain from the certificate, use the --cert-name parameter with the certificate name identifier and simply only list the other (remaining) domains:

root@linux ~ # certbot -n certonly --cert-name --expand --webroot -w /var/www/letsencrypt -d -d -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2022-04-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

As the beta sub domain was not listed with the -d parameter, this tells certbot to remove the beta sub domain from the certificate. This can be verified using certbot certificates again:

root@linux ~ # certbot certificates --cert-name
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:
  Certificate Name:
    Expiry Date: 2022-04-17 09:33:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.